Last Updated: 2006-12-30 14:19:41 UTC
by Daniel Wesemann (Version: 1)
Update 1530UTC: AV protection coming online, Trojan-Downloader.Win32.Tibs.jy (Kaspersky), W32/Dref-U (Sophos) W32.Nuwar.AY (TrendMicro). ClamAV was one of the first AVs to have protection available when the wave started last night, they are calling it Downloader-388.
There is also a set of BleedingSnort Sigs available which helps in detecting an existing infection (systems reporting to C&C).
Update 1400UTC: Symantec has thrown their hat in the ring with W32.Mixor.Q@mm.
Last Updated: 2006-12-29 13:59:38 UTC
by Daniel Wesemann (Version: 1)
Relax, you pundits of the pristine ISC blog, we are not going off-topic again. This story is about what can happen when you use a popular search engine in an attempt to look up side effects of a prescription drug. Thus happened, when Louis entered "Percocet" (a pain medication) and made the mistake to click onto the least sensible search result: http://www. pharmacy. topsearch20.net/search.php?q=percocet
I recommend you continue reading before you do like Louis and click on the above. Because the page returned, in addition to peddling cheap drugs, also includes two nifty IFRAMEs:
Again, these are - at the time of writing - live URLs, hosting bad stuff. Dont go there. Or, if you must, at least don't complain to us if you turn your PC into a brick while "investigating" the site.
statrafongon[dot]biz resolves to 126.96.36.199, which in itself already is an indication that something fishy could be waiting there - this IP range (188.8.131.52/20) is one of the address segments used by the CoolWebSearch gang in Russia to propagate their toys. Let's look at what they serve this time:
new.php?adv=8 contains a copy of the MS06-014 (MDAC/RDS.Dataspace) exploit. The exploit used is lifted pretty much in verbatim from the Metasploit framework, in fact the successful exploit would even write the downloaded malware as "metasploit.exe" to the disk.
While the Tom Liston Method(tm) to unravel such scripts is highly effective, I still prefer to do my unstuffing in Perl under Unix: $cat index.html | perl -pe 's/\%(..)/chr(hex($1))/ge' does the trick easily, and shows us that the page includes no less than five IFRAMEs, named exp1.htm to exp5.htm. Downloading and looking at each of these files individually, we found the following:
exp1.htm contains a different exploit for the same MS06-014 (RDS) vulnerability already seen above.
exp2.htm contains yet another stab at MS06-014.
exp3.htm goes after the WebViewFolderIcon (MS06-057) hole, again borrowing the code practically unchanged from Metasploit
exp4.htm contains an exploit of the VML vulnerability (MS06-055).
exp5.htm goes after the recent XML core services bug (MS06-071), and is using a copy of the PoC code posted at milw0rm.
The strategy to use five exploit variants seems to work - when I tested these files with some AV products, none was able to spot all five attempts. When successful, all five exploits would try to download and run a "win32.exe" off the same site. At the time of discovery (when Louis stumbled onto the site), win32.exe brought back a blank screen at Virustotal. By now, the situation has improved a bit.
The lesson learned? As far as we could determine, nothing happened to Louis' PC. Not because of his Antivirus, only because his PC was diligently patched. Otherwise, this pain reliever could have had serious side effects.